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1.  Introduction 


1.1  Background 

The  complex  decision-making  problem  of  determining  whether  or  not  a  system  has  sufficient 
capability  to  complete  the  mission  following  a  damaging  event  is  part  of  the  evolution  of  combat. 
This  problem  cannot  be  easily  answered  using  traditional  methods  and  metrics  within  the  live- 
fire  analysis  community.  Traditional  analysis  efforts  have  been  focused  on  an  aggregated 
qualitative  metric  called  loss  of  function  (LOT)  which  has  a  number  of  drawbacks  (i,  2).  The 
first  is  that  many  of  the  consumers  of  the  LOF  metric  do  not  have  a  good  understanding  of  what 
it  means.  For  example,  if  a  system  has  received  a  50%  loss  of  mobility,  what  will  that  mean  in  a 
combat  situation?  A  common  misinterpretation  is  that  it  is  a  probability  of  “killed”  or  “not- 
killed,”  when  it  is  really  a  qualitative  measure  of  how  many  missions  a  system  will  be  unable  to 
perform  (3).  In  combination  with  this  ambiguity  is  the  fact  that  a  LOF  metric  cannot  be 
empirically  observed  in  any  test  used  for  LF.S.  Army  live-fire  test  and  evaluation  (LFT&E).  All 
data  in  a  test  that  can  be  measured  is  fundamentally  quantitative — such  as  the  speed  a  vehicle  can 
attain  after  a  damaging  event — ^which  is  not  represented  in  an  LOF. 

Due  to  these  drawbacks,  the  need  for  a  quantitative  methodology  and  metric  was  identified.  To 
fill  this  need,  the  System  Capabilities  Analytic  Process  (SCAP)  was  developed.  This 
methodology  quantitatively  and  logically  links  the  functional  states  of  a  system’s  components  to 
the  capabilities  of  the  system.  These  capabilities  are  reported  in  terms  that  are  shared  with  the 
military  user  of  the  combat  system,  which  provides  the  decision-maker  with  the  information  that 
is  required  to  determine  a  course  of  action  following  a  damaging  event. 

1.2  A  New  Product  for  System  Analysis:  The  Functional  Skeleton 

The  primary  product  generated  by  the  application  of  SCAP  is  the  creation  of  a  functional 
skeleton  (FS)  which  is  a  map  between  a  system’s  components  and  its  capabilities.  The  FS 
includes  the  contributions  of  all  components  of  a  system,  including  the  hardware,  the  software, 
and  the  personnel  operating  the  system.  The  FS  can  be  used  to  link  capabilities  within  a  system- 
of-systems  (SOS)  so  that  an  analyst  can  know  how  the  loss  of  critically  important  hardware  on 
one  system  will  affect  the  performance  of  a  networked  or  interacting  system.  Because  of  the 
quantitative  nature  of  the  FS,  it  can  be  utilized  by  a  number  of  analytic  domains.  Some  of  these 
domains  are  reliability,  automotive  performance,  personnel  interactions,  and  live-fire  analysis. 
Because  the  cause  of  the  component  failure  is  not  critical  to  the  FS,  it  allows  failures  from 
several  forms  to  be  applied  to  a  single  evaluation.  For  example,  a  component  can  suffer  a 
reliability  failure  which  makes  a  system  vulnerable  to  an  attack.  The  attack  occurs  and  hardware 
is  damaged,  at  which  time  the  functional  skeleton  considers  both  failures  in  determining  the 
remaining  capabilities. 
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1.3  The  Outline  of  This  Report 


This  report  details  the  fundamentals  of  SCAP  and  displays  only  generalized  examples  of  its  use. 
Specific  examples  of  applications  will  be  published  in  follow-up  documentation  as  they  are 
developed. 

A  brief  review  of  the  concepts  of  a  criticality  analysis  (CA)  is  presented  followed  by  an 
explanation  of  fault-tree  analysis  as  used  in  SCAP.  A  large  section  of  this  report  is  focused  on 
the  four  levels  of  the  FS,  and  on  how  the  FS  relates  to  standardized  U.S.  Army  mission  tasks. 
After  a  discussion  of  several  example  uses  of  the  FS,  attention  is  given  to  how  to  construct  the 
FS.  The  mathematical  representation  of  the  functional  skeleton  will  conclude  the  technical 
portion  of  this  report. 

SCAP  is  an  evolving  methodology  and  has  only  recently  been  integrated  into  U.S.  Army  analysis 
efforts.  Existing  voids  in  the  process  and  a  path  for  fdling  these  voids  is  presented  near  the  end 
of  the  report. 


2.  Criticality  Analysis 


A  criticality  analysis  is  the  process  of  examining  a  system  to  determine  which  components  of 
that  system  are  required  for  the  system  to  perform  as  intended.  A  component  is  considered 
critical  when  damage  to,  or  failure  of,  the  component  can  affect  the  performance  of  one  or  more 
of  the  system’s  primary  mission  functions.  The  results  of  component  dependency  in  a  criticality 
analysis  are  presented  in  diagrams  known  as  fault  trees. 

The  methods  used  to  identify  which  components  are  critical  are  not  covered  in  this  report.  These 
methods  are  well  documented  in  other  publications;  therefore  the  focus  of  this  report  will  be  on 
how  to  structure  a  functional  framework  once  the  critical  components  have  been  identified. 


3.  Fault  Tree  Analysis 


The  fault  tree — ^both  graphically  and  mathematically — is  a  fundamental  tool  for  defining  the 
relationships  between  the  components  and  the  capabilities  of  a  system.  The  fault  trees  are 
graphical  representations  of  a  methodology  known  as  fault  tree  analysis  {4).  A  fault  tree  is  a 
logic  diagram  that  reports  the  state  of  a  system/group  in  the  terms  of  the  functional  states  of  the 
inclusive  elements.  The  elements  in  each  tree  are  connected  by  series  and/or  parallel  paths. 
SCAP  uses  a  modified  form  of  fault  tree  analysis,  in  that  the  graphical  conventions  are  much 
simpler  than  the  industry  standards  (5-7).  The  beginning  of  the  fault  tree  is  denoted  by  a  single 
“x”;  the  end  of  the  fault  tree  is  denoted  by  a  double  “x.”  Each  element  in  a  fault  tree  is 
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considered  to  be  either  fully  functional  or  fully  dysfunctional.  The  fault  tree  is  funetional  only  if 
an  unbreakable  path  through  a  sequenee  of  funetional  elements  ean  be  traeed  from  the  single  “x” 
to  the  double  “x”  in  the  fault  tree. 

A  sample  fault  tree  for  a  generic  sub-system  is  depieted  in  figure  1 .  The  relationship  between 
element  1  and  element  2  is  a  series  relationship.  A  series  relationship  is  funetional  only  if  all 
elements  of  the  series  portion  of  the  tree  are  funetional.  If,  for  any  reason,  any  element  in  a 
series  tree  is  dysfunetional,  then  the  entire  tree  is  considered  dysfunetional.  The  branching 
relationship  from  element  2  to  elements  3  and  5  is  a  depietion  of  a  parallel  relationship.  For 
parallel  relationships,  only  one  braneh  is  required  to  be  functional  for  the  tree  to  be  considered 
funetional.  Figure  2  depiets  how  a  fault  tree  ean  be  a  further  deeomposition  of  an  element  in 
another,  higher-level  fault  tree. 


Figure  1 .  A  sample  fault  tree. 
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Figure  2.  A  fault  tree  for  an  element  of  a  higher-level  fault  tree. 

A  fault  tree  can  be  represented  mathematically  (8).  The  mathematics  for  fault  tree  analysis  is 
based  on  the  current  functioning  state  of  the  system.  Assume  that  the  functional  state  of  a 
component  is  represented  by  a  binary  set:  a  “1”  represents  an  element  is  functional,  while  a  “0” 
represents  an  element  that  is  dysfunctional.  Assume  the  element  of  interest  is  element  3  in  figure 
2,  hence  forth  denoted  as  E3.  Therefore,  E3  is  mathematically  represented  as: 

f  0,  dysfunctional 

^3=1  •  (1) 

[1,  functional 

It  is  possible  to  evaluate  the  total  function  or  dysfunction  of  the  entire  fault  tree  by  evaluating  the 
functional  state  of  all  elements  within  the  fault  tree.  For  a  series  relationship,  the  functional  state 
of  the  tree — and  therefore  the  higher-level  assembly — is  represented  by  the  product-sum  of  all 
the  elements  in  the  series,  as  shown  in  equation  2. 


4=n:(^.)- 


(2) 
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If  Aj  =  1,  then  the  assembly  Aj  is  considered  functional.  If  Aj  =  0,  then  the  assembly  Aj  is 
considered  dysfunctional. 

For  a  parallel  relationship,  the  functional  state  of  the  tree — and  therefore  the  higher-level 
assembly — is  represented  by  equation  3,  where  B,  is  the  functional  representation  of  each 
independent  branch  of  the  parallel  tree. 

(3) 

If  Aj  =  1,  then  the  assembly  Aj  is  considered  functional.  If  Aj  =  0,  then  the  assembly  Aj  is 
considered  dysfunctional. 

It  is  possible  to  combine  the  mathematics  of  series  and  parallel  relationships.  If  a  branch  of  a 
parallel  tree  is  composed  of  a  series  relationship  of  elements,  then  the  equation  for  a  series 
relationship  would  be  substituted  for  the  variable  representing  the  function  of  the  branch.  If  a 
parallel  relationship  exists  within  a  series  tree,  then  the  mathematical  representation  of  the 
parallel  branches  would  be  included  as  one  of  the  elements  in  the  series  product  sum.  There  is 
no  limit  to  complexity  of  these  combinations,  so  long  as  the  analyst  can  maintain  the  record¬ 
keeping.  As  an  example,  recall  the  fault  tree  for  A2  depicted  in  figure  2.  In  this  case,  the 
equation  representing  the  functional  state  of  A2  can  be  constructed  by  combining  the 
mathematical  relationships  for  both  series  and  parallel.  The  resulting  equation  is: 

4  =£,  ■{i-{(1-{£3  (4) 


4.  SCAP  Defined 


4.1  An  Overview  of  the  SCAP  and  the  FS 

When  analyzing  a  system  using  SCAP,  a  map  is  created  to  define  the  relationship  between 
components  of  the  system  and  the  system’s  capabilities.  The  map  of  these  relationships  is 
known  as  the  FS.  The  levels  of  the  FS  are  depicted  in  figure  3.  Throughout  the  FS,  all  data  is 
explicit  and  quantitative;  in  other  words,  it  defines  what  is  functional  or  what  can  be 
accomplished  by  the  system.  The  mission  task  is  analyzed  or  evaluated  using  the  FS,  and  is  the 
actions  that  are  employed  to  utilize  the  system.  The  map  between  the  system  capabilities  (SC) 
and  the  mission  tasks  are  not  entirely  scientific  and  fall  more  into  the  “art  of  war.”  The  FS  will 
tell  you  what  SC’s  are  functional,  and  the  analyst  decides  if  and  how  these  SC  allow  you  to 
accomplish  the  mission  using  the  commander’s  intent.  The  FS  will  be  discussed  in  sections 
4.4.1-4.4.4.  Mission  tasks  will  be  discussed  in  section  4.4.5. 
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Figures.  The  levels  of  the  FS. 

A  mnemonic  to  understand  how  the  FS  relates  to  the  system’s  hardware  and  the  actions  defined 
by  a  mission  task  is:  “When  components  are  grouped  into  sub-systems,  they  will  produce 
functions  that  will  provide  the  capability  to  complete  the  mission  task.” 

4.2  Potential  Lexicon  Conflicts 

SCAP  has  potential  applications  in  multiple  other  government  agencies  and  analysis  domains,  in 
which  particular  lexicon  may  have  a  unique  meaning.  Therefore,  a  possible  conflict  in  lexicon 
between  SCAP  and  these  other  government  agencies  has  been  identified.  In  fact,  there  are 
multiple  military  definitions  for  the  same  words  which  may  represent  fundamentally  different 
concepts  to  different  government  agencies. 

The  definitions  of  terms  generally  used  in  the  T&E  community  are  derived  from  military 
application.  However,  since  SCAP  has  possible  application  across  more  than  the  Department  of 
Defense  (DOD),  the  definitions  presented  in  this  document  are  derived  from  industrial  standards 
of  systems  and  reliability  engineering. 

4.3  Definitions  of  Dysfunction 

In  all  levels  of  the  FS,  the  concept  of  dysfunction  will  be  the  same.  An  element  or  assembly  is 
considered  to  be  “functional”  if  it  is  performing  as  it  was  intended  by  the  system’s  designers 
without  any  measurable  degradation.  An  element  is  considered  to  be  “dysfunctional”  if  it  is  not 
performing  as  intended  or  if  it  is  entirely  absent.  A  “transient  dysfunction”  is  when  an  element 
is  not  performing  as  it  was  intended  due  to  some  influence,  but  will  return  to  full  functionality 
when  the  influence  is  either  compensated  for  or  removed.  Transient  dysfunctions  are  most 
commonly  associated  to  the  non-destructive  dysfunctions,  which  includes  electronic  warfare. 
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personnel  actions  or  status,  or  issues  with  networked  communications.  All  three  of  these 
dysfunctions  are  discussed  in  the  following  sections. 

4.4  The  Functional  Skeleton 

Each  level  of  the  FS  is  explained  in  detail  in  the  next  few  sections.  The  partial  decomposition  of 
a  commercially-available  light-duty  truck  will  be  used  to  help  explain  the  four  levels  of  the  FS. 

It  is  assumed  that  an  analyst  has  acquired  the  information  for  this  light-duty  truck — depicted  in 
figure  4 — and  is  compiling  the  FS  for  this  vehicle.  Recalling  the  explanations  of  fault  tree 
analysis  in  section  3,  the  FS  will  be  considered  an  aggregated  fault  tree  of  the  components  of  the 
truck  up,  through  the  capabilities  of  the  vehicle. 


Figure  4.  A  commercially  available  light-duty  truck. 

4.4.1  Components 

The  components  are  the  lowest  level  of  the  FS  and  are  the  physical  parts  of  the  system  that  is 
being  analyzed.  Components  can  be  either  individual  parts,  such  as  a  drive  shaft,  or  they  could 
be  a  functional  sub-assembly  that  is  considered  a  line-replaceable  unit  in  the  field,  such  as  a  fuel 
pump.  Or  they  can  even  be  a  human  interacting  with  the  system,  which  will  be  discussed  in 
section  4.5. 

A  component  is  considered  dysfunctional  when  some  interaction  has  rendered  it  unable  to 
function  as  designed.  For  the  case  of  ballistic  vulnerability,  this  occurs  when  some  threat  has 
damaged  the  component  to  the  point  that  it  will  no  longer  function  properly,  which  is  defined  in 
traditional  methodologies  as  “killed.”  In  addition  to  ballistic  vulnerability,  any  form  of  insult  can 
be  applied  to  render  a  component  dysfunctional  (9,  10).  Some  of  these  insults  can  be,  but  are  not 
limited  to  environmental  effects  or  contamination,  reliability  failure,  chemical  attack,  or  system 
abuse.  A  component  can  also  be  considered  dysfunctional  in  the  simple  case  of  it  not  being 
powered  on,  such  as  a  radio  that  is  unintentionally  left  off. 
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By  default  all  components  are  assumed  to  be  functional  (C,  =  1)  when  the  FS  is  constructed.  A 
component  is  dysfunctional  when  some  interaction  or  insult  has  either  deactivated  it  or 
sufficiently  damaged  the  material  to  cause  it  to  fail  to  function.  A  component  can  also  be  subject 
to  a  transient  dysfunction.  One  simple  example  is  a  machine  gun  that  has  been  rendered 
dysfunctional  because  the  barrel  (the  component)  has  overheated  due  to  duration  of  fire  in  excess 
of  the  time-threshold  the  barrel  was  designed  to  sustain.  Once  the  barrel  cools,  it  is  theoretically 
possible  for  the  gun  to  be  functional  again. 

A  partial  component  dysfunction — a  component  that  is  performing  somewhere  between  fully 
dysfunctional  and  fully  functional — is  not  currently  modeled  with  the  FS.  Theoretically,  an 
infinite  scale  of  partial  dysfunctions  exist,  therefore  it  is  not  possible  to  quantitatively  map  every 
possibility.  Therefore,  if  a  component  has  been  sufficiently  damaged  to  affect  its  function,  it  is 
considered  “killed”  or  dysfunctional. 

For  the  case  of  the  light-duty  truck,  assume  that  one  of  the  components  of  interest  is  the  front  tire 
on  the  left  (driver’s  side)  of  the  vehicle.  As  long  as  the  tire  holds  air  and  has  sufficient  tread  to 
maintain  traction,  the  component  is  considered  functional.  If  we  are  to  assume  a  hole  has  been 
placed  in  the  tire  and  it  is  flat,  then  it  is  considered  “killed”  or  dysfunctional.  As  partial 
component  dysfunctions  are  not  represented,  a  hole  in  the  tire  that  does  not  release  all  the  air 
pressure  would  be  considered  “functional.” 

4.4.2  Sub-Systems 

A  sub-system  (SS)  is  a  collection  of  components  assembled  and  functioning  together  to  perform 
a  specific  purpose.  For  the  example  of  the  light-duty  truck,  we  will  compose  the  front-left  wheel 
sub-system.  This  subsystem  is  composed  of  the  tire,  the  wheel,  and  the  hub. 

In  some  cases,  a  sub-system  is  composed  of  a  single  component,  such  as  a  portable  global 
positioning  system  (GPS)  unit.  There  are  also  times  when  a  subsystem  is  a  complex  assembly  of 
other  smaller  sub-systems.  A  sub-system  fault  tree  can  contain  both  components  and  other  sub¬ 
systems.  This  is  the  only  level  of  the  FS  where  elements  from  two  levels  are  allowed  to  be  in  the 
same  fault  tree. 

4.4.3  System  Functions 

The  system  function  (SF)  is  an  observable,  repeatable,  and  measurable  performance  of  a  sub¬ 
system  or  a  collection  of  sub-systems.  When  the  sub-systems  are  functioning  as  intended,  their 
successful  operations  and  actions  are  the  observed  system  functions.  Some  examples  of  SF’s 
are:  maintain  engine  lubrication,  maintain  proper  operating  temperature,  maintain  traction, 
generate  energy  from  fuel,  aim  weapon,  and  so  on. 

4.4.3. 1  Fault  Tree  Representation  of  SF’s.  The  complexity  of  the  SF  determines  the  choice  of 
the  elements  for  the  fault  tree  when  it  is  constructed.  For  the  majority  of  cases,  the  SF  will  be  a 
simple  tree  to  represent  operation  such  as  “maintain  lubrication.”  For  cases  of  this  nature,  the 
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elements  of  the  SF  fault  tree  are  the  sub-systems  that  produce  these  functions.  Some  less- 
common  forms  of  SF’s  are  ones  that  represent  relatively  complex  performances — such  as 
calculating  the  trajectory  of  an  attack.  In  cases  like  this,  the  elements  of  the  SF  will  be  lower- 
order  SF’s,  such  as:  determine  location  of  weapon,  determine  range  to  target,  compute  ballistic 
path,  and  so  on.  An  example  of  this  kind  of  relationship  is  depicted  in  figure  5. 


System  Function 

System  Functions 

Calculateattack 

trajectory 

1 

Determine  location 

of  weapon 


Determine  range  to 
target 


Compute  ballistic 
oath 


Figure  5.  An  SF  with  other  SF’s  as  its  elements. 


When  composing  the  SF’s  fault  trees,  the  elements  will  be  either  sub-systems  or  other  system 
functions,  but  never  both  in  a  single  tree.  If  we  were  allowed  to  mix  the  levels,  then  we  could 
have  a  fault  tree  that  could  contain  both  the  physical  hardware  of  a  system  and  a  measure  of  a 
system  performance.  As  both  of  these  levels  are  fundamentally  different  concepts,  there  is  no 
quantitative  way  to  aggregate  these  into  a  single  answer.  The  only  option  is  to  keep  them 
separated  so  that  SF  can  aggregate  into  other  SF  or  that  a  SS  can  produce  a  SF.  If  this  rule  were 
violated  in  the  example  of  the  light-duty  truck,  then  an  analyst  would  be  able  to  construct  a  fault- 
tree  with  both  the  SF  “maintain  lubrication’’  and  a  SS  of  “engine  system’’  on  the  same  level  with 
each  other.  An  example  of  this  improper  mixing  is  depicted  in  figure  6. 
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System  Function  Mixed  levels 


Generate  power 
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Figure  6.  An  example  of  an  improper  mixing  of  SF  and  sub-system 
elements. 

There  are  cases  where  a  SF  can  be  present  in  the  FS  without  any  elements  to  define  the  function. 
This  occurs  when  a  system  function  is  required  for  the  successful  operation  of  a  system  but  no 
feature  of  the  design  is  able  to  perform  this  function.  One  example  is  a  heavy  machine  gun  that 
has  no  cooling-system.  The  SF  of  “maintain  proper  operating  temperature”  is  present  in  the  FS, 
but  if  the  gun  relies  on  ambient-air  convective  cooling  then  no  elements  are  assigned  to  the  SF 
fault  tree.  When  the  gun  overheats,  a  transient  dysfunction  occurs  on  this  SF  until  the  system 
cools  down  to  operating  temperatures.  If  the  system  is  unable  to  return  to  a  normal  operating 
state,  then  a  permanent  dysfunction  occurs. 

4.4. 3. 2  Binary  and  Probabilistic  System  Functions.  In  most  mechanical  systems,  the 
representation  of  the  SF  is  a  binary  set — either  functional  (SF,  =  1)  or  dysfunctional  (SF,  =  0) — 
based  on  the  functionality  of  the  elements  in  the  fault  tree,  which  is  depicted  in  figure  7. 

Early  in  the  development  of  SCAP,  a  situation  was  discovered  where  the  elements  of  an  SF  were 
all  functional,  but  it  was  possible  for  an  SF  to  sometimes  perform  successfully  and  sometimes 
perform  unsuccessfully  based  on  conditions  acting  on  the  sub-systems.  If  a  SF  has  a  probability 
of  being  successful  versus  unsuccessful  based  on  conditions  acting  on  functional  sub-systems, 
then  it  is  defined  to  be  a  probabilistic  system  function  (PSF).  A  PSF  is  best  modeled 
mathematically  as  a  Bernoulli  trial  where  the  criteria  for  a  success  is  the  probability  mass 
function  that  contains  the  requirements  for  success,  as  will  be  seen  in  the  following  example. 
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Figure  7.  Binary  system  function. 


In  the  example  of  a  simplified  infrared  (IR)  sensor  depicted  in  figure  8,  assuming  all  components 
are  fully  functional,  the  IR  signal  detection  sub-system  is  at  full  performance,  and  therefore  fully 
functional.  To  determine  if  the  performance  of  the  SF  “detect  IR  signal”  is  successful  or 
unsuccessful,  conditions  such  as  the  strength  of  the  source  signal  and  distance  between  the 
source  of  the  signal  and  the  sensor  determines  the  performance  thresholds,  and  therefore 
determines  the  probability  the  SF  is  indeed  functional.  If  a  signal  is  too  weak  to  be  detected  the 
SF  “detect  IR  signal”  would  be  dysfunctional  even  if  all  the  components  are  functioning 
correctly.  In  the  example  shown,  a  “maximum”  signal  is  detected  about  60%  of  the  time  for  a 
given  distance  from  the  sensor  of  interest.  Therefore,  about  60%  of  the  time,  when  these 
conditions  are  present,  the  “detect  IR  signal”  SF  is  functional  and  about  40%  of  the  time  it  is 
dysfunctional. 

The  probability  of  functional  for  a  PSF  can  be  modified  if  the  conditions  affecting  the  PSF  are 
changed.  For  example,  the  presence  of  flares  could  provide  a  stronger  IR  signal  than  the  source 
signal.  In  this  case,  the  probability  of  correctly  detecting  the  source  signal  would  decrease  as  the 
sensor  may  detect  the  wrong  signal,  thus  rendering  a  SF  as  dysfunctional  even  though  all 
components  are  functioning  as  intended. 
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Figure  8.  Probabilistic  SF. 

To  determine  if  a  PSF  is  functional,  an  analyst  will  need  to  examine  the  conditions  and  criteria  in 
the  probability  mass  function  and  find  the  conditions  that  most  closely  match  the  ones  that 
currently  exist  on  the  sub-systems  in  the  PSF.  Once  the  probability  of  the  PSF  being  functional 
is  determined,  a  random  draw  on  the  probability  occurs  to  see  if  the  PSF  is  assessed  as 
functional. 

4.4.4  System  Capabilities 

The  SC  is  an  independent  and  measurable  performance  of  the  system  which  is  an  aggregation  of 
relevant  system  functions.  All  SC  are  observable,  measurable,  and  repeatable.  Examples  of  SC 
are:  travel  on  roads,  fire  main  gun,  and  send/receive  short-range  communications.  These 
capabilities  are  used  to  evaluate  whether  or  not  the  system  can  accomplish  the  mission.  For 
example,  if  the  system  loses  the  ability  to  travel  off-road  but  the  mission  being  evaluated  is  to 
conduct  a  raid  in  an  urban  environment,  then  the  loss  of  this  capability  would  not  deter  the 
system  from  being  able  to  accomplish  the  mission.  The  elements  of  the  SC  fault  trees  are  the  SF 
that  are  required  to  perform  the  identified  capability. 

4.4.4. 1  Bins.  Multiple  levels  of  remaining  capability  may  exist  for  each  SC.  These  levels  of 
remaining  capability  are  known  as  “bins.”  These  bins  contain  all  the  available  levels  of 
performance  a  SC  can  have  as  the  system  is  degraded  due  to  component,  sub-system,  or  SF 
dysfunction.  These  bins  can  be  either  linearly  related,  as  is  the  case  for  attainable  speed  on 
roads,  or  categorical,  such  as  the  types  of  communication  that  can  be  sent/received.  Both  of 
these  forms  of  SC  bins  are  depicted  in  figure  9. 
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Figure  9.  The  two  forms  of  the  SC  bins. 

The  values  assigned  to  the  bins  are  dependent  on  the  design  of  the  system  and  on  the  context  of 
the  capability.  For  example,  the  speed  of  a  wheeled  vehicle  is  dependent  on  whether  it  is 
designed  with  either  a  four-  or  eight-cylinder  engine  and  in  the  context  of  either  on-  or  off-road. 
In  reality,  the  SC  bins  are  continuous  from  not  capable  to  max  capability.  A  small  to  moderate 
number  of  discrete  bins  are  chosen  as  it  is  theoretically  impossible  to  map  the  fully  inclusive 
distribution  of  available  bins  based  on  all  conditions,  contexts,  and  levels  of  dysfunction. 

A  system  can  exist  in  only  one  bin  at  any  given  time  since  the  nature  of  the  bins  is  to  be  mutually 
exclusive  from  each  other.  If  a  system  if  fully  functional  then  it  is  assigned  the  highest 
performance  bin  within  the  system  function.  It  cannot  also  exist  in  the  lower  bins  because  each 
bin  is  a  representation  of  the  “best”  capabilities  of  the  system.  If  a  system  were  in  the  top- 
performance  bin  and  a  minimal-performance  bin,  then  it  is  impossible  to  determine  if  the  system 
is  fully  functional  or  degraded  in  some  way.  In  the  case  of  a  light-duty  pickup  truck,  the  system 
can  lose  the  ability  to  travel  at  a  maximum  off-road  speed  if  it  loses  any  of  the  critical  system 
functions,  as  depicted  in  figure  10.  Either  losing  a  SF  or  the  presence  of  a  lesser  (degraded)  SF 
will  put  the  system  into  a  lower-performance  SC  bin. 

4.4.4.2  Categories  and  Classes.  System  Capabilities  are  described  in  two  different  contexts:  the 
type  of  action  the  SC  represents  and  the  temporal  nature  of  the  SC  of  interest.  To  describe  the 
type  of  action  the  SC  represents,  we  group  the  SC  into  six  distinct  categories  for  ground-combat 
systems: 

•  Movement  -  these  are  the  capabilities  that  represent  the  ability  for  system  to  move  from 
one  location  to  the  next. 

•  Firepower  -  these  are  the  capabilities  that  determine  which  offensive  and/or  defensive 
weapon  performances  are  present  for  the  system. 

•  Communications. 

•  Survival  -  these  are  the  capabilities  that  determine  how  well  the  system  will  protect  both 
the  system  and  the  Warfighter. 
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•  Observations  -  these  are  the  capabilities  that  allow  the  system  to  determine  information 
such  as  GPS  location,  identification  of  airborne  chemicals,  sensors,  etc. 

•  Special  -  these  are  SC  that  are  unique  to  a  system  and  are  not  common,  such  as  “treat 
critical  casualties”  for  an  ambulance  vehicle. 
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1 
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1  '  1 

Provide  Provide  Battery 

Alternator  Power  Power 

Figure  10.  Degraded  bins  for  system  capability  travel  off-road. 

Depicted  in  figure  1 1  is  a  sample  grouping  of  system  capabilities  by  category. 
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Figure  1 1 .  A  sample  categorical  grouping  of  system  capabilities. 

To  describe  the  temporal  nature  of  the  SC  or  interest,  the  SC  are  grouped  into  one  of  two  classes: 
persistent  and  transitional.  The  “persistent”  class  contains  SC  that  are  performing  continuously 
for  a  given  context.  These  are  either  employed  for  a  sustained  period  or  can  be  called  upon 
without  the  system  or  the  performances  of  the  system  being  modified  in  some  way.  Examples  of 
persistent  SC  are: 

•  Travel  on  roads  (movement) 

•  Shoot  main  weapon  (firepower) 

•  Send/receive  short-range  communications  (communicate) 

•  Protect  crew  (survival) 

•  Detect  CBRNE  (observations) 

Transitional  SC  are  used  to  change  the  conditions  or  state  of  a  system.  These  SC  are  usually 
employed  as  a  single  action  and  would  change  the  performance  of  the  system  from  one  persistent 
SC  to  a  different  SC  that  is  mutually  exclusive.  Examples  of  transitional  SC  are: 

•  Start  engine  -  transition  from  “not  possible”  to  “travel  on  roads  at  xx-mph.” 
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•  Emplace  -  for  a  howitzer,  this  SC  allows  the  system  to  transition  from  the  inability  to  fire 
the  main  cannon  to  a  state  where  it  can  fire  the  main  cannon. 

4.4.43  Capabilities  Common  to  a  Family  of  Vehicles  (FOV)  and  Variant  Specific  Capabilities. 
For  an  FOV,  such  as  a  series  of  light  duty  tactical  trucks,  most  of  the  capabilities  will  be 
common  across  the  whole  family,  as  can  be  seen  in  figure  12.  These  common  SC  include,  but 
are  not  limited  to,  capabilities  for  travel  on  roads,  operate  during  daytime,  protect  crew,  and 
communication  short  range.  When  special  variants  exist  within  the  FOV — such  as  a  command 
and  control  (C2)  variant,  or  an  ambulance  variant — then  special,  variant  specific  capabilities  are 
defined.  For  the  C2  variant,  a  special  system  capability  of  “maintain  satellite  communication”  is 
defined  which  is  unique  to  that  variant  because  it  is  the  only  one  with  a  satellite  communication 
requirement.  For  the  ambulance  variant,  the  special  system  capability  of  “treat  critical 
casualties”  is  defined,  which  includes  all  of  the  advance  life  support  equipment  and  stretcher 
racks. 
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Figure  12.  System  capabilities  grouped  by  family-common  and  variant-specific. 

Since  the  variants  across  the  FOV  will  share  the  common  system  capabilities,  this  significantly 
reduces  effort  to  analyze  these  systems.  It  also  allows  for  a  robust  analysis  across  the  variants  as 
they  jointly  execute  various  missions  and  tasks. 

4.4.5  Mission  Task 

The  mission  task  (MT)  is  the  operational  task  that  can  be  achieved  when  the  Warfighter  and  the 
system,  or  the  SoS,  work  in  concert.  For  the  U.S.  Army,  the  mission  tasks  are  defined  in  Field 
Manual  (FM)  7-15:  “Army  Universal  Task  Lisf’  (77).  Each  MT  as  defined  in  FM  7-15  is  not 
tied  to  any  specific  system  or  armed  conflict.  They  are  intentionally  general  so  they  can  be 
employed  using  any  active  system  with  the  required  SC  in  any  conflict.  Specific  examples  of 
mission  tasks  are: 
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•  Conduct  a  raid. 

•  Conduct  direct  fires. 

•  Hold  an  objective  position. 

The  MT  is  not  a  level  in  the  functional  skeleton  but  is  at  least  one  level  above  the  FS.  This  is 
because  it  is  not  possible  to  create  an  entirely  scientific/quantitative  map  between  the  SC  and  the 
MT.  A  scientific  map  can  be  constructed  between  the  MT  and  the  SC  only  in  the  presence  of  an 
explicit  military  doctrine.  However,  an  evaluator  or  battle  commander  will  determine  which 
doctrine  and/or  actions  are  required  to  complete  an  objective,  and  then  employ  the  systems  and 
Warfighters  as  desired  to  achieve  that  objective.  This  is  done  based  on  the  current  context  of  the 
operation,  the  acceptable  risk,  and  the  available  resources.  The  FS  will  define  for  the 
commander  or  evaluator  what  systems  have  particular  capabilities  and  then  the 
commander/evaluator  will  determine  which  actions  to  take  based  on  those  capabilities. 

This  is  where  the  art  of  warfare  comes  into  play.  The  ways  the  task  can  be  executed  based  on  the 
available  capabilities  of  the  systems  can  change  regularly  based  on  the  changing/evolving 
context.  In  fact,  the  application  of  capabilities  into  mission  tasks  has  been  studied  as  it  has 
evolved  over  generations  of  warfare  and  is  expected  to  change  as  technology  and  civilizations 
adapt.  As  such,  there  is  no  “right”  answer  for  how  to  employ  a  system,  only  the  ones  that  may 
have  a  greater  chance  at  success  (72). 

4.5  Including  the  Warfighter 

Every  military  system  consists  of  the  hardware  and  the  personnel  that  are  operating  the  system. 
To  show  how  the  performance  of  the  system  is  affected  by  the  performance  of  the  crew,  the 
following  two  sections  will  detail  how  to  include  personnel  in  the  FS. 

4.5.1  Incorporation  of  the  Warfighter  Into  the  Functional  Skeleton 

With  the  FS,  each  person  that  interacts  with  the  system  will  be  considered  a  unique  and 
independent  sub-system.  This  allows  the  personnel  to  be  associated  with  their  respective  SF’s  in 
the  fault  tree.  For  example,  one  of  the  SF  for  the  system  capability  set  of  “travel  on  roads”  is 
“maintain  directional  control.”  For  the  hardware  of  the  system,  the  appropriate  sub-system  is  the 
steering  controls.  For  the  crew,  the  driver  is  in  series  with  the  steering  controls,  as  depicted  in 
figure  13.  If  for  any  reason  the  driver  is  unable  to  perform  his  task,  the  system  will  be  incapable 
of  traveling  on  roads  regardless  of  the  functional  status  of  the  hardware.  This  highlights  the  fact 
that  if  the  Warfighter  is  able  to  perform  a  particular  system  function,  then  the  Warfighter  is 
considered  to  be  “operationally  available.”  If  the  Warfighter  is  not  operationally  available,  then 
s/he  is  considered  incapacitated. 
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Figure  13.  Integration  of  crew  into  the  FS. 

4.5.2  Incapacitation  vs.  Injury 

As  described  in  the  previous  section,  the  concept  of  the  driver  being  a  critical  element  in  the 
capability  of  the  system  is  a  new  concept  with  this  methodology.  Previous  methodologies  used 
injury  severity  to  determine  the  incapacitation,  but  these  two  concepts  are  different  principles. 

So  what  is  the  difference  between  injury  and  incapacitation? 

Injury  simply  describes  how  a  human  body  responds  when  it  is  insulted  by  a  threat.  In  essence, 
injury  is  the  damage  that  the  human  body  sustains  when  attacked,  and  the  severity  is  rated  based 
on  the  level  of  the  threat  to  life  on  the  Warfighter.  The  scoring  system  for  injury  accounts  for 
and  assumes  the  anticipated  treatment  that  would  be  required  in  its  attempt  to  quantify  the  risk  to 
life.  Recalling  the  discussion  on  the  survive  category  of  the  system  capabilities  in  section 
4.4.4.2,  one  can  see  that  the  injury  rating  is  the  metric  that  is  used  to  determine  the  bins  of  how 
well  a  system  will  protect  the  crew. 

Incapacitation  is  the  next  evolution  of  the  injury  metric,  and  is  considered  an  additional  metric. 
Incapacitation  evaluates  the  severity  and  location  of  the  injury  and  compares  it  to  the 
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performance  required  to  successfully  perform  the  SF  or  Warfighter  task.  The  Warfighter  is 
considered  incapacitated  if  they  are  unable  to  perform  the  required  functions  because  of  their 
injuries 

As  the  definition  of  incapacitation  is  related  to  injury,  it  could  be  easily  confused.  Two 
theoretical  scenarios  are  presented  to  help  clarify  the  difference  between  the  metrics. 

•  Scenario  1 :  A  Warfighter  is  assigned  the  responsibility  of  guarding  a  convoy  with  a  heavy 
machine  gun.  In  this  assignment,  the  ability  to  “fire  M2  machine  gun”  would  have  the 
structure  depicted  in  figure  14  for  “engage  enemies.”  As  can  be  seen,  the  Warfighter  must 
be  operationally  capable  for  the  “engage  enemies”  system  capability  to  be  available. 
Assume  that  the  Warfighter  receives  a  “severe”  injury  to  one  leg.  In  this  case,  the  SC  of 
“protect  crew”  would  be  in  a  lower  bin  of  “protect  1,”  but  the  gunner  is  still  operationally 
capable  of  firing  his  weapon  as  their  hands  and  eyes  were  not  injured. 

•  Scenario  2:  The  same  pre-insult  situation  exists  as  in  scenario  1.  In  this  case,  assume 
wind-blown  sand  momentarily  blinds  the  gunner.  Even  though  the  gunner  is  not  severely 
injured,  the  system  capability  to  engage  enemies  is  unavailable  because  the  gunner  is 
unable  to  aim  the  weapon. 
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Figure  14.  Incapacitation  vs.  injury  within  the  FS. 
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Additionally,  figure  14  depicts  how  the  “protect  crew”  system  capability  would  be  structured  for 
the  light-duty  truck. 

In  all  SCAP  analyses  the  injury  and  the  incapacitation  evaluation  can  occur  simultaneously.  By 
evaluating  the  two  metrics  as  described,  it  is  possible  to  determine  exactly  what  the  Warfighter  is 
capable  of  accomplishing  and  at  the  same  time  how  well  the  system  can  perform. 

4.5.3  Partial  Incapacitation  Not  Addressed  With  the  Current  Methodology 

If  the  crew  is  injured  or  ill  but  still  able,  it  is  assumed  they  are  still  capable  but  in  reality  they 
may  perform  in  a  less  than  optimal  state.  At  this  time,  the  functional  skeleton  does  not 
incorporate  partial  performance  of  the  crew,  so  it  is  assumed  that  as  long  as  a  crew  member  is 
not  incapacitated,  they  are  considered  fully  functional  and  operationally  available. 

4.6  Situation  Awareness 

Situation  awareness  (SA)  involves  being  aware  of  what  is  happening  around  you,  and 
understanding  how  information,  events,  and  your  own  actions  will  impact  your  goals  and 
objectives,  both  now  and  in  the  near  future.  Even  though  SA  is  a  common  term  in  requirement 
documentation  for  new  military  systems,  it  is  not  a  system  capability. 

Depicted  in  figure  15  is  a  possible  map  between  SC  and  SA.  Let’s  say  the  context  is  a  small 
convey  moving  through  a  potentially  hostile  urban  area.  To  understand  where  they  are,  they 
need  to  observe  their  location.  To  understand  what  is  happening  outside  their  area  of  view  they 
need  to  be  able  to  send  and  receive  regular  communication.  If  a  threat  is  identified,  they  need  to 
be  able  to  protect  themselves  from  that  threat  (survive).  Decisions  are  based  off  of  the 
interpretation  of  these  and  other  samples  of  the  context  and  system  capabilities.  As  such,  SA  is 
defined  as  the  qualitative  aggregation  of  multiple  exclusive  SC  and  is  not  itself  a  SC. 

4.7  Dynamic  Application  of  the  Functional  Skeleton 

The  FS  is  a  static  framework  of  how  the  system  can  perform  given  the  specific  design  and 
assembly  of  its  components.  The  FS  will  not  change  during  a  simulation,  therefore  it  can  be 
dynamically  applied  at  any  given  time  state.  The  diversity  of  possible  sources  of  dysfunction 
allows  the  FS  to  be  applied  in  any  analysis  aimed  at  correlating  component  function  to  system 
capabilities.  This  allows  an  evaluator  or  computer  simulation  to  compile  multiple  damaging 
events  into  a  different  level  of  SC  after  each  event.  It  also  allows  for  multiple  sources  of 
component  dysfunction  to  be  applied  at  one  time.  For  example,  if  a  component  for  movement 
fails  due  to  a  reliability  failure,  a  system  may  slow  down.  If  it  is  then  attacked,  the  FS  is 
reapplied  at  the  new  state  to  determine  if  the  system  has  moved  to  an  even  lesser  SC  bin. 
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Figure  15.  A  possible  map  between  situational  awareness  and  system  capabilities. 

4.8  Application  to  a  System-of-Systems  (SOS) 

Because  of  the  dynamic  nature  of  the  application  of  the  FS,  it  is  possible  to  employ  this 
methodology  to  a  networked  and/or  interacting  SOS. 

4.8.1  Linking  Capabilities 

It  is  possible  to  analyze  a  system-of-systems  using  the  FS  by  linking  the  systems  together  at  the 
SC  level.  If  two  systems  are  in  an  operation  that  is  dependent  on  communications,  then  the 
ability  to  send  and  receive  communications  for  both  systems  is  linked.  An  example  of  this 
follows  in  section  5.3. 

By  using  these  links,  it  is  possible  to  evaluate  if  a  communication  sent  from  one  system  is  able  to 
reach  other  systems.  To  determine  if  this  communication  is  received,  the  information  for  how 
communications  are  hindered  and  what  the  probability  of  success  will  be  are  entered  as  criteria 
on  the  link  between  the  two  systems.  Once  the  conditions  that  affect  a  communication  are 
known,  they  can  be  compared  to  the  conditions  that  exist  in  the  analysis  to  determine  the 
probability  of  success.  Once  the  probability  is  known,  a  draw  is  taken  on  the  probability  to 
determine  if  the  linked  communication  succeeds.  Some  conditions  that  could  affect  the  ability  to 
communicate  are  distance,  electronic  warfare  (EW),  and  obstructions.  As  these  factors  change, 
they  affect  the  probability  that  the  communication  is  successful. 
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Many  other  system  capability  categories  are  linked  in  a  similar  manner  for  a  SOS.  Table  1 
depicts  several  sample  linked  capabilities  between  two  interacting  systems.  These  links  are  not 
always  a  static  link  between  two  distinct  systems,  but  could  be  a  dynamic  link  between  many 
systems  that  forms  when  two  systems  interact. 


Table  1 .  Linked  system  capabilities. 


Categories 

First  System  SC 

Second  System  SC 

F  irepower/survival 

Fire  cannon 

Protect  crew 

Observation 

Conceal  IR  signal 

Detect  IR  signal 

Communications 

Send/receive  data  communications 

Send/receive  data  communications 

4.8.2  Array  Capabilities 

It  is  possible  to  build  a  set  of  array  capabilities  (AC)  for  a  collection  of  systems  working  together 
for  a  specific  purpose  by  utilizing  linked  capabilities.  If  multiple  systems  are  working  in  concert, 
then  the  compilation  of  their  capabilities  into  the  AC  defines  for  the  evaluator/commander  what 
the  unit  is  capable  of  executing.  As  an  example,  consider  the  map  in  figure  16  that  depicts  the 
movement  of  two  main  battle  tanks.  Notice  how  the  speeds  of  all  the  tanks  will  combine  into  the 
AC  for  the  unit.  If  for  some  reason  one  tank  loses  the  ability  to  maintain  a  higher-speed  bin  and 
the  commander  intends  all  the  systems  in  the  unit  to  stay  together,  then  the  unit  will  have  to  slow 
down  to  match  the  speed  of  the  degraded  tank.  For  the  array,  this  results  in  the  AC  to  be 
assessed  in  a  lesser  performing  AC  bin.  The  same  kind  of  mapping  can  occur  for  all  of  the  other 
SC  categories. 

This  ability  to  build  array  capabilities  also  allows  for  dissimilar  systems  to  be  analyzed  together 
in  a  SOS.  Assume  the  analyst  is  looking  at  an  array  of  vehicles  that  contain  communications 
equipment,  air-defense,  perimeter-defense,  long-range  fire  support,  and  C2  systems.  By  linking 
the  capabilities  of  these  systems  together,  it  is  possible  to  build  a  map  between  the  individual 
system  capabilities  and  the  array  capabilities.  This  allows  the  analyst  to  determine  how  the  loss 
of  the  critical  components  in  one  system  will  affect  the  capabilities  of  the  whole  array. 
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Figure  16.  An  array  capabilities  for  the  speed  of  a  unit  of  tanks. 


5.  Examples  of  the  Application  of  the  Functional  Skeleton 


5.1  A  Brief  Overview  of  the  Missions  and  Means  Framework 

SCAP  can  be  used  to  model  the  relationships  between  two  systems  in  a  force-on-force 
engagement.  To  represent  the  actions  and  timing  in  this  engagement,  the  missions  and  means 
framework  (MMF)  will  be  employed  in  collaboration  with  SCAP.  MMF  is  a  well-documented 
construct  and  is  a  foundation  principle  of  Dietz  et  al.  (13).  The  seven  levels  of  MMF  are 
depicted  in  figure  17.  As  MMF  is  well-documented,  it  will  not  be  thoroughly  explained  in  this 
report;  however,  a  brief  explanation  follows. 
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Figure  17.  The  missions  and  means  framework. 

MMF  is  depicted  in  the  second  chapter  of  the  above-mentioned  book  and  is  a  construct  of  three 
underlying  paradigms.  The  first  paradigm  defines  the  relationships  of  a  system’s  component 
damage  state,  through  a  system’s  capabilities,  to  the  system’s  combat  utility.  The  second 
paradigm  is  how  systems,  as  they  engage  and  interact  with  each  other,  either  improve  or  degrade 
components  and  capabilities  of  another  system  via  their  respective  combat  utility.  The  third 
paradigm  is  focused  on  the  larger  scale  operations.  As  the  component  damage  state  and  the 
combat  utility  of  the  hardware  changes  through  interactions,  the  effects  will  integrate  into  the 
higher-level  relationships  that  will  affect  changes  to  the  mission,  purpose,  and  context.  It  can  be 
noted  that  MMF  is  not  a  static  process,  but  rather  a  dynamic  application  of  ever-changing  and 
potentially  complex  relationships  between  systems. 

5.2  Example — Tanks  in  Combat 

Assume  an  example  of  two  generic  tanks  in  combat.  The  initial  index  of  this  engagement  is 
depicted  in  figure  18.  It  is  assumed  that  the  opposition  force  (OPFOR)  tank  (tank  B)  is  sitting  in 
defilade  in  a  combat  zone.  The  primary  mission  of  tank  B  is  to  wait  for  a  possible  tank  from  the 
blue  force  (BLUFOR)  and  prevent  it  from  entering  a  specific  zone.  Assume  a  BLUFOR  tank 
(tank  A)  is  in  the  area  and  unknowingly  enters  the  effective  combat  range  of  tank  B. 
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It  is  assumed  that  all  components  of  tank  B  are  functioning  properly;  therefore,  it  has  the 
capability  to  observe  tank  A  move  into  range.  A  decision  is  made  by  the  commander  of  tank  B 
to  fire  on  tank  A.  At  this  point,  the  FS  of  tank  B  is  referenced  to  see  if  tank  B  has  the  capability 
to  fire  on  tank  A.  As  all  firepower  components  and  sub-systems  are  functional;  therefore,  all  SF 
are  functional,  tank  B  is  capable  of  firing  on  tank  A,  which  is  depicted  in  figure  19.  Therefore, 
tank  B  fires  an  anti-tank  munition  at  tank  A. 


Figure  18.  MMF  at  index  1. 
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Figure  19.  Tank  B  system  capabilities  at  index  1. 
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It  is  possible  to  show  how  the  decision  and  action  of  tank  B  firing  a  round  will  affect  tank  A. 
This  is  done  by  advancing  the  index  within  MMF  to  the  time  that  the  round  from  tank  B  impacts 
tank  A,  known  as  index  2  and  depicted  in  figure  20.  By  utilizing  existing  methodologies  in 
vulnerability  analysis,  it  is  possible  to  predict  the  effect  of  the  munition  interacting  with  the 
components  of  tank  A.  The  resultant  damage  state  of  the  components,  either  functional  or 
dysfunctional,  can  then  be  supplied  into  the  FS  of  tank  A.  By  tracing  the  effect  of  dysfunctional 
components  through  the  fault  trees,  it  is  concluded  that  tank  A  is  unable  to  travel  further.  The 
portion  of  the  FS  for  tank  A,  focusing  on  some  of  the  mobility  components,  is  shown  in  figure 
21. 
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Figure  21.  Tank  A  system  eapabilities  at  index  2. 
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After  the  damage  from  the  first  round  is  assessed,  MMF  will  advanee  to  the  next  time  index, 
which  is  depicted  in  figure  22.  The  first  interaction  between  the  two  tanks  did  result  in  a 
complete  loss  of  capability  for  tank  A  to  move  out  of  combat  zone,  but  all  components  for  the 
main  gun  are  undamaged.  Therefore,  using  the  FS  for  tank  A  as  shown  in  figure  23,  it  is  evident 
that  tank  A  is  able  to  fire  directly  on  tank  B  in  a  return- fire  capacity.  A  decision  is  made  by  the 
commander  of  tank  A  to  return  fire,  and  a  munition  is  sent  down-range  to  tank  B. 
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Figure  22.  MMF  at  index  3. 
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Figure  23.  Tank  A  system  capabilities  at  index  3. 
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The  next  time  index  in  MMF  is  when  the  round  from  tank  A  impacts  on  tank  B,  which  is 
depicted  in  figure  24.  By  again  utilizing  existing  methodologies,  it  is  possible  to  determine  what 
components  in  tank  B  will  be  damaged  and  rendered  dysfunctional.  In  this  example,  it  is 
assumed  that  the  damaged  components  will  be  some  form  of  energetic  material  inside  of  tank  B 
and  will  result  in  a  catastrophic  detonation,  which  is  depicted  in  figure  25. 
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Figure  24.  MMF  at  index  4. 
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Figure  25.  Tank  B  system  capabilities  at  index  4. 
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The  final  time  index  in  this  engagement  is  the  resultant  state  of  tank  B  after  the  interaetion  of  the 
munition  from  tank  A  interaets  with  the  eomponents  of  tank  B.  Beeause  a  catastrophic 
detonation  has  occurred  in  tank  B,  it  is  assumed  all  components  of  tank  B  are  destroyed  and, 
therefore,  dysfunctional.  Utilizing  the  FS,  one  can  see  that  tank  B  has  no  remaining  SC.  By 
referencing  these  lost  SC  into  MMF,  it  is  shown  that  tank  B  has  no  remaining  combat  utility.  As 
tank  B  is  unable  to  perform  any  further  activities  in  MMF,  it  has  failed  in  its  missions  and  is  no 
longer  able  to  affect  the  outcome  of  the  conflict. 

5.3  Example — UAV  as  a  Forward  Observer 

An  example  of  how  SC  can  be  linked  will  now  be  explored  for  an  unmanned  aerial  vehicle 
(UAV)  serving  as  a  forward  observer  for  a  self-propelled  howitzer  in  an  indirect  fire  support 
mission.  This  example  was  inspired  by  an  example  in  Deitz  et  al.  (13)  where  a  UAV  is  serving 
as  a  forward  observer  for  a  ground  combat  vehicle  when  explaining  possible  ways  to  depict 
vulnerability  analysis  of  an  SoS. 

Assume  a  UAV  is  on  a  persistent  surveillance  mission  in  an  isolated  combat  zone.  No  BLUFOR 
units  are  in  the  vicinity  of  the  UAV’s  observed  zone.  As  the  UAV  patrols,  the  IR  sensor  on  the 
UAV  moves  closer  to  an  object  on  the  ground  that  is  emitting  an  IR  signature.  We  will  assume 
that  all  components  on  the  UAV  are  functional  (as  shown  in  figure  26),  therefore,  the  IR-sensor 
system  is  functional  and  will  use  a  probability  of  detection  for  all  signals  it  encounters.  Assume 
the  IR-sensor  system  is  at  a  known  distance  from  the  potential  target  and  the  IR  signal  is  strong 
due  to  inadequate  thermal  shielding  of  the  object  on  the  ground.  Using  the  discussion  from 
section  4.4. 3. 2,  we  will  see  that  conditions  on  the  UAV  (range,  signal  strength)  shows  that  it  is 
capable  of  detecting  the  IR-signature  with  a  success  rate  of  about  60%. 

A  random  draw  occurs  to  see  if  the  UAV  detects  the  target  using  a  Bernoulli  trial  with  a 
probability  of  success  of  60%.  In  this  case,  it  is  assumed  that  the  Bernoulli  trial  produces  a 
successful  result,  and  therefore  the  PSF  of  “detect  signature”  is  successful  and  the  UAV  detects  a 
target  of  opportunity. 

As  the  UAV  has  successfully  detected  a  target  of  opportunity,  a  communication  is  to  be  sent  to  a 
fire  support  battalion.  Assuming  the  components  for  the  antennae  sub-system  are  functional  and 
all  other  critical  communications  sub-systems  are  also  functional;  therefore,  the  UAV  has  the 
capability  to  send  a  long-range  communication. 
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Figure  26.  A  sample  of  the  UAV  functional  skeleton. 

Changing  our  attention  to  the  emplaced  fire-support  battalion,  it  is  assumed  that  all  components 
critical  to  communication  are  functional.  Therefore,  the  SPH  of  interest  is  capable  of  receiving 
the  communication  from  the  UAV.  Recalling  the  sample  definition  from  earlier,  we  can  see  in 
figure  27  that  the  self-propelled  Howitzer  (SPH)  is  capable  of  firing  on  the  target  in  an  indirect 
fire  mission. 

As  discussed  in  this  example,  and  depicted  in  figure  28,  the  FS  for  systems  within  an  SoS  are 
linked  by  mutual  SC.  Due  to  this  linkage,  it  is  possible  to  directly  correlate  the  component  state 
of  one  system  to  the  capability  of  a  networked  system  and  also  to  determine  the  overall  effect  on 
a  mission  vignette.  This  has  not  been  possible  with  traditional  vulnerability/lethality  (V/L) 
methodologies. 

If  a  critical  communications  component  of  either  system  was  dysfunctional,  then  it  would  be 
possible  to  determine  the  overall  combat  utility  of  the  SoS  due  to  the  lost  communication.  In  this 
example,  the  fire  mission  would  not  occur  and  a  mission  to  suppress  hostile  activity  in  a  remote 
region  would  be  unsuccessful,  even  though  one  system  would  be  fully  functional. 
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Figure  27.  A  sample  of  the  SPH  functional  skeleton. 


mZ  Detect  Target  tIR  ) 


Operate  in  Da^  Conditions 


:x: 


Maintain  Powered  Flight 
1 


Maintain  Navigation 

J 


□L 


Obs  eive  T  arg  et  { Video ) 


□L 


Design  ate  Target 


ILL 


□L 


Prevent  Catastrophic  Loss 


Send/Receive  Long-Range 
Communicalions 


Operate  in  Day  Conditions 

I 


Aim  on  Target,  indirect  Fires 


X 


Conduct 
Indirect  Fires 

Observe  for 

Artillery  Fires 

^ - 4 - - - 

|_ - , 

Fire  Muniton 


Maintain  Internal 

Communications 


Send/Receive  Long-Range 
Communications 


Protect  Crew 


~r 


Prevent  Catastrophic  Loss 


Figure  28.  A  sample  of  the  linked  capabilities. 
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6.  Mathematical  Representation  the  Functional  Skeleton 


6.1  Representing  a  Single  System  by  Vectors 

Now  that  several  examples  have  been  shown  on  how  the  functional  skeleton  can  be  used  in  a 
SoS  using  a  storyboard  approach,  the  mathematical  treatment  of  the  methodology  within  a  SoS  is 
discussed. 

Recalling  the  discussion  in  section  3  about  how  elements  in  a  fault  tree  are  represented,  as  well 
as  the  discussions  of  the  various  levels  of  the  FS  in  sections  4.4.1  through  4.4.4,  each  element 
within  the  FS  is  therefore  represented  as  an  element  with  the  following  nomenclature: 

C,  =  a  specific  component 

SF,  =  a  specific  system  function 

SC,  =  a  specific  system  capability 

When  the  criticality  analysis  is  complete,  all  components  that  are  required  for  the  system  to 
function  as  the  Warfighter  intends  will  be  known.  Assume  that  the  total  count  of  critical 
components  is  assigned  the  variable  of  “n”. 

n  =  total  count  of  critical  components 

Each  critical  component  will  be  assigned  an  element  identifier,  as  depicted  in  the  following 
table: 

Cl  =  left- front  tire 
C2  =  left-front  wheel 
C3  =  engine  block 
C4  =  transmission  block 
C5  =  fuel  pump 

C„  =  the  last  critical  component 

ft  is  now  possible  to  take  the  collection  of  component  elements  and  compile  them  into  a  vector  as 
depicted  in  equation  5.  Recalling  the  earlier  discussion  of  dysfunction,  each  component  C,  will 
be  represented  as  either  a  “0”  or  a  “1”  depending  on  its  current  functional  state. 
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As  C  is  a  vector,  it  is  equivalent  to  a  one-dimensional  matrix  with  dimensions  n  x  1 .  A  similar 
construct  exists  for  all  system  functions  and  system  capability  bins  within  the  functional 
skeleton. 
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Every  system  within  a  SoS  simulation  will  be  represented  by  a  vector  set  which  includes  the  C , 
SF ,  and  SC  vectors  for  that  system.  The  decisions  within  the  SoS  will  be  based  on  the 
availability  depicted  within  the  SF  and  SC  vectors,  and  the  component  availability  will  be 
represented  within  the  C  vector.  When  a  battlefield  threat  or  other  interaction  occurs  on  the 
components  in  the  C  vector  and  changes  their  values,  then  the  FS  can  be  used  as  a  transfer 
function  that  adjusts  the  values  in  the  SF  and  SC  vectors.  This  allows  for  the  systems  to  be 
dynamically  interrogated  and  greatly  simplifies  the  constructs  required  to  represent  the  systems 
within  a  simulation. 
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How  will  the  transfer  functions  be  compiled  for  the  construction  of  the  SF  and  SC  vectors? 
Simply  stated,  they  are  the  relationships  that  are  defined  in  the  functional  skeleton  and  are 
depicted  mathematically  as  described  in  section  3.  For  a  generic  system  with  a  known  C  vector, 
the  SF  and  SC  vectors  are  compiled  as  depicted  in  equations  8  and  9.  As  the  component  state  in 
the  vector  C  changes,  the  equations  embedded  as  the  transfer  functions  within  the  SF  and 
SC  vectors  will  adjust  the  corresponding  values  to  either  a  “1”  or  a  “0”. 
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6.2  Vector  Representation  of  an  Array  of  Systems 

Recalling  the  discussion  of  linking  capabilities  in  section  4.8.1  as  well  as  the  UAV/SPH  example 
in  section  5.3,  it  is  possible  to  explain  how  the  mathematical  representation  of  single  systems  can 
be  expanded  into  the  mathematical  representations  of  array  capabilities,  which  were  presented  in 
section  4.8.2. 

If  we  represent  the  UAV  and  the  SPH  by  their  respective  SC  vectors,  as  shown  in  equations  10 
and  11,  then  it  is  possible  to  create  the  array  capabilities  from  the  independent  systems  by  having 
the  SC  vectors  linked  as  shown  in  equation  12.  In  this  equation,  X  is  defined  as  all  of  the 
conditions  that  exist  between  the  UAV  and  the  SPH.  As  X  changes,  so  will  the  array 
capabilities. 
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7.  Construction  of  the  Functional  Skeleton 


The  FS  is  a  framework  that  eontains  information  about  the  design  of  system.  So  how  does  an 
analyst  construct  the  FS? 

The  answer  is  rather  straightforward:  it  depends  on  what  information  you  know  about  the 
system.  If  the  design  of  the  system  is  known,  then  the  analyst  will  start  the  construction  from  the 
components  and  move  up  to  the  capabilities.  If  the  required  tasks,  capabilities,  and/or 
performance  requirements  are  known,  then  the  analyst  will  decompose  from  the  SC  to  the  SF  and 
then  identify  what  sub-systems,  and  possibly  the  components,  are  required  to  produce  these 
capabilities.  It  is  also  possible  to  employ  both  approaches  in  a  hybrid  manner:  if  the  design  is 
known  and  the  required  capabilities  are  defined,  then  the  map  can  be  compiled  from  both  ends  to 
determine  if  the  design  of  the  system  matches  the  requirements  for  the  system. 
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For  the  SC  bins,  it  is  best  to  first  create  the  top-performance  bin  within  each  SC.  Once  the  top 
bin  is  known,  then  it  is  usually  far  easier  to  copy  the  bin  into  a  lesser  bin  and  remove  the  SF  that 
are  required  for  the  higher  bin  and  not  required  for  the  lesser  bin.  There  may  be  times  when  a 
specific  SF  will  be  added  to  a  lesser  bin  that  is  required  to  maintain  the  degraded  state,  but  is  not 
required  to  perform  in  a  higher  bin.  One  example  of  this  would  be  the  application  of  a  secondary 
braking  system  only  if  the  primary  has  failed. 

In  all  SC,  it  is  necessary  to  add  a  bin  at  the  bottom  of  the  series  that  is  the  “not  possible”  bin. 
Most  of  the  time,  these  bins  will  contain  no  SF  and  are  the  default  result  assessed  if  all  other  SC 
bins  are  lost.  These  “not  possible”  bins  are  required  for  two  reasons:  the  first  is  that  if  all 
capabilities  are  lost,  then  the  only  possible  performance  is  a  “not  possible.”  The  second  reason  is 
a  mathematical  requirement:  if  the  frequencies  of  all  bins  are  added  up,  including  the  “not 
possible”  bin,  then  the  result  should  equal  100%.  This  allows  an  analyst  to  determine  the  critical 
hardware  that  causes  a  total  system  failure  and  also  determine  the  frequency  of  these  occurrences 
for  a  given  condition. 


8.  Next  Steps 


A  series  of  next  steps  are  already  planned  since  SCAP  is  continuing  to  evolve. 

8.1  Methodology 

Two  main  shortcomings  have  yet  to  be  addressed  at  the  time  of  this  report’s  composition.  The 
first  is  the  ability  to  handle  time-dependant  degradation  of  SC’s.  For  this  concept  to  be 
accurately  represented,  the  variable  representing  time  after  a  component  becomes  dysfunctional 
needs  to  be  incorporated  into  the  results  of  when  a  related  SC  will  become  dysfunctional.  At  this 
time,  an  untested  abstract  has  been  proposed  and  will  be  pursued  to  check  for  its  validity. 

The  second  construct  that  needs  to  be  explored  is  how  to  represent  crew  that  will  adjust  their 
positions  and  roles  when  a  fellow  crew  member  becomes  injured  or  incapacitated.  As  was  seen 
in  section  4.5,  crews  are  an  important  component  for  the  system  capabilities.  In  combat,  a 
critical  system  capability  that  is  lost  due  to  a  Warfighter  incapacitation  will  be  restored  by  an 
operationally  capable  Warfighter,  assuming  the  required  switch  is  possible.  Again,  an  untested 
abstract  has  been  proposed  and  will  be  pursued  to  test  its  validity. 

8.2  Applications 

At  the  time  of  this  writing,  several  applications  for  SCAP  have  already  been  identified.  The  two 
primary  customers  of  SCAP  and  the  ES  are  the  U.S.  Army  Test  and  Evaluation  Command’s 
(ATEC)  mission-based  test  and  evaluation  (MBT&E)  and  ARL/SLAD’s  system  of  systems 
survivability  simulation  (S4).  Both  are  looking  to  incorporate  the  FS,  albeit  in  different  manners. 
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Also  in  ARL,  the  Human  Research  and  Engineering  Directorate  (HRED)  is  currently  explorating 
a  potential  application  of  SCAP  for  human-factor  studies.  Finally,  it  appears  that  SCAP  will  be 
able  to  merge  with  reliability  analysis,  and  is  currently  in  a  very  early  stage  of  investigation. 

8.3  Documentation 

Because  SCAP  methodology  and  applications  are  continuing  to  evolve,  it  is  anticipated  a  number 
of  follow-on  documents  will  be  presented  that  will  go  “in-depth”  on  various  topics.  Also 
anticipated  is  a  follow-on  document  that  will  supersede  this  report  when  the  issues  identified  in 
section  8.1  are  resolved  and  various  trials  are  completed. 
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ATEC 

AUTL 

BLUFOR 

C 

C2 

CA 

CBRNE 

DOD 

EW 

FM 

FOV 

FS 

GPS 

HRED 

IR 

LFT&E 

EOF 

M2 

MBT&E 

MMF 

MT 

OPFOR 


array  capability 

U.S.  Army  Research  Laboratory 

U.S.  Army  Test  and  Evaluation  Command 

Army  Universal  Task  List 

blue  force 

component 

command  and  control 

criticality  analysis 

chemical,  biological,  radiological,  nuclear,  and  electromagnetic 

U.S.  Department  of  Defense 

electronic  warfare 

field  manual 

family  of  vehicles 

functional  skeleton 

global  positioning  system 

Human  Research  and  Engineering  Directorate 

infra-red 

live  fire  test  and  evaluation 
loss  of  function 

machine  gun.  Browning  0.50  caliber 
mission-based  test  and  evaluation 
missions  and  means  framework 
mission  task 
opposition  force 
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probabilistic  system  functions 
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systems  of  systems  survivability  simulation 
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situational  awareness 
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system  capability 

SCAP 

system  capabilities  analytic  process 

SF 

system  function 

SLAD 

Survivability/Lethality  Analysis  Directorate 

SOS 

system  of  systems 

SPH 

self-propelled  Howitzer 

ss 

sub-system 

T&E 

test  and  evaluation 

UAV 

unmanned  aerial  vehicle 

V/L 

vulnerability/lethality 
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